Companies around the world strive to have that perfect corporate culture in which employees are not only friendly and relaxed, but also efficient and productive. This type of environment makes employees happy, which consequently makes their customers happy. However, this idyllic corporate culture creates a false sense of security because it’s built on trust rather than security and provides cyber-criminals with the perfect opportunity to strike.
An organization can have secure firewalls, servers, and workstations, but if their corporate culture is too lax, their entire network is at risk. Considering the effect that a security breach can have on an organization’s reputation, employees, and customers, a company’s corporate culture should be built with security at the forefront so it becomes second nature.
What Is Security Culture?
Security culture is a collection of practices, processes, and procedures designed to minimize security risk and create a shared mindset among the workforce that effortlessly embeds security into all aspects of the organization. Everyone from the CEO to the first rung of the proverbial corporate ladder plays an equally important role in cyber security, and all employees must understand their responsibility in preventing security incidents.
How do I know if our corporate culture is the problem?
Every corporate culture is different, so we provide four tips that allow you think about your own culture to determine if it puts you at greater risk of a security incident.
TIP # 1: REMOVE THE STIGMA
In many companies, there is a stigma around being “patient zero” with regard to security incidents. Companies with a poor security culture may either ostracize or take disciplinary action against employees who cause security incidents, which makes them less likely to report incidents for fear of embarrassment. If employees don’t report security incidents, it takes much longer to detect, isolate, and ultimately resolve the problem.
Although nobody wants to be the employee that caused their entire infrastructure to be crippled by WannaCry ransomware, a company with a well-established security culture is at a reduced risk of significant impact because people aren’t afraid to report incidents. If an incident does occur, employees know who to contact and what actions to take to halt the spread of infection.
TIP #2: NO COMPANY IS TOO SMALL TO BE A TARGET
“My company is only 50 people. What cyber-criminal would want to attack us?”
Cyber-criminals don’t care about the size of a company; they seek out the most vulnerable area of a company – its staff. Whether a company is 50 people or 5,000 people, the staff is always the largest attack surface in any organization, and it is critical that they play their role as the “human firewall” to protect against security incidents.
Employee security training arms them with the knowledge they need to be able to identify suspicious activity, and teaches them how to respond appropriately if an attack is successful.
TIP #3: DON’T BE SO TRUSTING
We’re not saying don’t trust your coworkers. You should trust them, but only with the right things. Trust that they’re not going to eat your sandwich when you leave it in the break room refrigerator. Trust that they won’t repeatedly press the door close button as you sprint toward the elevator at quitting time. However, do not trust them with your personal data. If in doubt, here are some things to remember:
- Your passwords should never be provided to someone else under any circumstances
- Lock your office door when you leave
- Lock your computer when you leave it unattended
- Don’t leave papers with sensitive data on your desk
TIP #4: ELIMINATE ROLE-CREEP
Role-creep is the continuity of access rights and permissions that an employee has as they change positions within a company; in many smaller companies, role-creep runs rampant. Here is an example of role-creep:
Joe Everyguy starts at a company as a senior account manager and receives all access rights associated with the role. Later, he accepts a new position as a marketing analyst, but maintains all the rights associated with the senior account manager. He has far more access now than is needed for his new role.
Keeping accurate privileges is not only good housekeeping, it also maintains alignment with the industry-recognized best practice of the principle of least privilege, which ensures that users operate at privilege levels no higher than necessary to complete their job functions.
How Do We Improve?
To ensure that security is embedded in all aspects of the corporate environment, corporate and security culture must be intertwined. Doing so promotes all the benefits of a friendly, productive, and most importantly, secure workplace.
This type of environment is attainable, but it does not appear overnight and takes effort from the entire organization. Going from a lax environment to one with stricter security policies and controls could have a negative impact on your staff, so it’s important to take the time to explain the reasons thoroughly to ensure the staff not only understands the benefits, but also supports the new initiatives.
A great first step is providing employee security training. Training provides real-world examples so your staff knows how to identify suspicious behavior. It also provides the following benefits:
- Builds an internal culture of cyber security and security competence
- Educates employees on how to reduce risk and protect company data and information
- Motivates employees to improve their behaviors and incorporate security concerns into their decision making
- Shows customers that your organization cares about protecting their information
As an experienced Managed Security Service Provider, Dataprise can help integrate security best practices in to your workplace to help make your data and your customers’ data more secure. To learn more about how Dataprise can help you, visit our Security Services page here.